I suggest reading the section on password complexity here
https://pages.nist.gov/800-63-3/sp800-63b.html which recommends just a
minimum length and a check against a list of the most common passwords.
On Tue, Jun 5, 2018 at 3:14 PM, Maxime Beauchemin <
maximebeauche...@gmail.com> wrote:
> Agreed,
Agreed, secured by default is ideal. Though I wouldn't want people to get
an unreasonable sense of safety and open their instance to the web.
I like the idea of generating a temporary key/token and exposing it in the
console where the process was started. Other option is to use the
database/passwo
Tbh I like to go to a setup where it is secure by default. Airflow is getting
more and more used so it also increases the attack surface. If you run “initdb”
or “resetdb” it is easy to provide a generated password.
I don’t see a reason anymore for having a unsecured version.
B.
Verstuurd vana
+1 to being able to disable--we have authentication in place, but use a
separate solution that (probably?) Airflow won't realize is enabled, so
having a continuous giant warning banner would be rather unfortunate.
On Tue, Jun 5, 2018 at 2:05 PM, Alek Storm wrote:
> This is a great idea, but we'd
This is a great idea, but we'd appreciate a setting that disables the
banner even if those conditions aren't met - our instance is deployed
without authentication, but is only accessible via our intranet.
Alek
On Tue, Jun 5, 2018, 3:35 PM James Meickle wrote:
> I think that a banner notificati
I think that a banner notification would be a fair penalty if you access
Airflow without authentication, or have API authentication turned off, or
are accessing via http:// with a non-localhost `Host:`. (Are there any
other circumstances to think of?)
I would also suggest serving a default robots.
> On 5 Jun 2018, at 19:51, Maxime Beauchemin wrote:
>
> What about a clear alert on the UI showing when auth is off? Perhaps a
> large red triangle-exclamation icon on the navbar with a tooltip
> "Authentication is off, this Airflow instance in not secure." and clicking
> take you to the doc's
What about a clear alert on the UI showing when auth is off? Perhaps a
large red triangle-exclamation icon on the navbar with a tooltip
"Authentication is off, this Airflow instance in not secure." and clicking
take you to the doc's security page.
Well and then of course people should make sure th
One of our engineers wrote a blog post about the UMG mistakes as well.
https://www.astronomer.io/blog/universal-music-group-airflow-leak/
I know that best practices are well known here, but I second James'
suggestion that we add some docs, code, or config so that the framework
optimizes for being
Bumping this one because now Airflow is in the news over it...
https://www.bleepingcomputer.com/news/security/contractor-exposes-credentials-for-universal-music-groups-it-infrastructure/?utm_campaign=Security%2BNewsletter&utm_medium=email&utm_source=Security_Newsletter_co_79
On Fri, Mar 23, 2018
While Googling something Airflow-related a few weeks ago, I noticed that
someone's Airflow dashboard had been indexed by Google and was accessible
to the outside world without authentication. A little more Googling
revealed a handful of other indexed instances in various states of
security. I did m
11 matches
Mail list logo